October 2023 - Linux-stable-mirror

+ x86-mm-drop-4mb-restriction-on-minimal-numa-node-size.patch added to mm-hotfixes-unstable branch

by Andrew Morton

The patch titled Subject: x86/mm: drop 4MB restriction on minimal NUMA node size has been added to the -mm mm-hotfixes-unstable branch. Its filename is x86-mm-drop-4mb-restriction-on-minimal-numa-node-size.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patche… This patch will later appear in the mm-hotfixes-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: "Mike Rapoport (IBM)" <rppt(a)kernel.org> Subject: x86/mm: drop 4MB restriction on minimal NUMA node size Date: Tue, 17 Oct 2023 09:22:15 +0300 Qi Zheng reports crashes in a production environment and provides a simplified example as a reproducer: For example, if we use qemu to start a two NUMA node kernel, one of the nodes has 2M memory (less than NODE_MIN_SIZE), and the other node has 2G, then we will encounter the following panic: [ 0.149844] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 0.150783] #PF: supervisor write access in kernel mode [ 0.151488] #PF: error_code(0x0002) - not-present page <...> [ 0.156056] RIP: 0010:_raw_spin_lock_irqsave+0x22/0x40 <...> [ 0.169781] Call Trace: [ 0.170159] <TASK> [ 0.170448] deactivate_slab+0x187/0x3c0 [ 0.171031] ? bootstrap+0x1b/0x10e [ 0.171559] ? preempt_count_sub+0x9/0xa0 [ 0.172145] ? kmem_cache_alloc+0x12c/0x440 [ 0.172735] ? bootstrap+0x1b/0x10e [ 0.173236] bootstrap+0x6b/0x10e [ 0.173720] kmem_cache_init+0x10a/0x188 [ 0.174240] start_kernel+0x415/0x6ac [ 0.174738] secondary_startup_64_no_verify+0xe0/0xeb [ 0.175417] </TASK> [ 0.175713] Modules linked in: [ 0.176117] CR2: 0000000000000000 The crashes happen because of inconsistency between nodemask that has nodes with less than 4MB as memoryless and the actual memory fed into core mm. The commit 9391a3f9c7f1 ("[PATCH] x86_64: Clear more state when ignoring empty node in SRAT parsing") that introduced minimal size of a NUMA node does not explain why a node size cannot be less than 4MB and what boot failures this restriction might fix. Since then a lot has changed and core mm won't confuse badly about small node sizes. Drop the limitation for the minimal node size. Link: https://lkml.kernel.org/r/20231017062215.171670-1-rppt@kernel.org Signed-off-by: Mike Rapoport (IBM) <rppt(a)kernel.org> Reported-by: Qi Zheng <zhengqi.arch(a)bytedance.com> Closes: https://lore.kernel.org/all/20230212110305.93670-1-zhengqi.arch@bytedance.c… Acked-by: David Hildenbrand <david(a)redhat.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Borislav Petkov (AMD) <bp(a)alien8.de> Cc: Dave Hansen <dave.hansen(a)linux.intel.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: Peter Ziljstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/x86/include/asm/numa.h | 7 ------- arch/x86/mm/numa.c | 7 ------- 2 files changed, 14 deletions(-) --- a/arch/x86/include/asm/numa.h~x86-mm-drop-4mb-restriction-on-minimal-numa-node-size +++ a/arch/x86/include/asm/numa.h @@ -12,13 +12,6 @@ #define NR_NODE_MEMBLKS (MAX_NUMNODES*2) -/* - * Too small node sizes may confuse the VM badly. Usually they - * result from BIOS bugs. So dont recognize nodes as standalone - * NUMA entities that have less than this amount of RAM listed: - */ -#define NODE_MIN_SIZE (4*1024*1024) - extern int numa_off; /* --- a/arch/x86/mm/numa.c~x86-mm-drop-4mb-restriction-on-minimal-numa-node-size +++ a/arch/x86/mm/numa.c @@ -601,13 +601,6 @@ static int __init numa_register_memblks( if (start >= end) continue; - /* - * Don't confuse VM with a node that doesn't have the - * minimum amount of memory: - */ - if (end && (end - start) < NODE_MIN_SIZE) - continue; - alloc_node_data(nid); } _ Patches currently in -mm which might be from rppt(a)kernel.org are x86-mm-drop-4mb-restriction-on-minimal-numa-node-size.patch nios2-define-virtual-address-space-for-modules.patch mm-introduce-execmem_text_alloc-and-execmem_free.patch mm-execmem-arch-convert-simple-overrides-of-module_alloc-to-execmem.patch mm-execmem-arch-convert-remaining-overrides-of-module_alloc-to-execmem.patch modules-execmem-drop-module_alloc.patch mm-execmem-introduce-execmem_data_alloc.patch arm64-execmem-extend-execmem_params-for-generated-code-allocations.patch riscv-extend-execmem_params-for-generated-code-allocations.patch powerpc-extend-execmem_params-for-kprobes-allocations.patch powerpc-extend-execmem_params-for-kprobes-allocations-fix.patch arch-make-execmem-setup-available-regardless-of-config_modules.patch x86-ftrace-enable-dynamic-ftrace-without-config_modules.patch kprobes-remove-dependency-on-config_modules.patch bpf-remove-config_bpf_jit-dependency-on-config_modules-of.patch

2 years

1
0
0 0

[PATCH] drm/amd/pm: Handle non-terminated overdrive commands.

by Bas Nieuwenhuizen

The incoming strings might not be terminated by a newline or a 0. (found while testing a program that just wrote the string itself, causing a crash) Cc: stable(a)vger.kernel.org Fixes: e3933f26b657 ("drm/amd/pp: Add edit/commit/show OD clock/voltage support in sysfs") Signed-off-by: Bas Nieuwenhuizen <bas(a)basnieuwenhuizen.nl> --- drivers/gpu/drm/amd/pm/amdgpu_pm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c index da0da03569e8..f9c9eba1a815 100644 --- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c +++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c @@ -760,7 +760,7 @@ static ssize_t amdgpu_set_pp_od_clk_voltage(struct device *dev, if (adev->in_suspend && !adev->in_runpm) return -EPERM; - if (count > 127) + if (count > 127 || count == 0) return -EINVAL; if (*buf == 's') @@ -780,7 +780,8 @@ static ssize_t amdgpu_set_pp_od_clk_voltage(struct device *dev, else return -EINVAL; - memcpy(buf_cpy, buf, count+1); + memcpy(buf_cpy, buf, count); + buf_cpy[count] = 0; tmp_str = buf_cpy; @@ -797,6 +798,9 @@ static ssize_t amdgpu_set_pp_od_clk_voltage(struct device *dev, return -EINVAL; parameter_size++; + if (!tmp_str) + break; + while (isspace(*tmp_str)) tmp_str++; } -- 2.42.0

2 years

1
0
0 0

[PATCH 6.5 000/190] 6.5.8-rc2 review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 6.5.8 release. There are 190 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed, 18 Oct 2023 18:48:18 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.5.8-rc2.… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.5.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 6.5.8-rc2 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fixed two speaker platform Amir Goldstein <amir73il(a)gmail.com> ovl: fix regression in showing lowerdir mount option Amir Goldstein <amir73il(a)gmail.com> ovl: make use of ->layers safe in rcu pathwalk Amir Goldstein <amir73il(a)gmail.com> ovl: fix regression in parsing of mount options with escaped comma Amir Goldstein <amir73il(a)gmail.com> fs: factor out vfs_parse_monolithic_sep() helper Matthew Wilcox (Oracle) <willy(a)infradead.org> fs: Fix kernel-doc warnings Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/64e: Fix wrong test in __ptep_test_and_clear_young() Christophe Leroy <christophe.leroy(a)csgroup.eu> powerpc/8xx: Fix pte_access_permitted() for PAGE_NONE Duoming Zhou <duoming(a)zju.edu.cn> dmaengine: mediatek: Fix deadlock caused by synchronize_irq() Rex Zhang <rex.zhang(a)intel.com> dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq Linus Torvalds <torvalds(a)linux-foundation.org> Revert "x86/smp: Put CPUs into INIT on shutdown if possible" Javier Carrasco <javier.carrasco(a)wolfvision.net> usb: misc: onboard_hub: add support for Microchip USB2412 USB 2.0 hub Hui Liu <quic_huliu(a)quicinc.com> usb: typec: qcom: Update the logic of regulator enable and disable Pawel Laszczak <pawell(a)cadence.com> usb: cdnsp: Fixes issue with dequeuing not queued requests Krishna Kurapati <quic_kriskura(a)quicinc.com> usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call Piyush Mehta <piyush.mehta(a)amd.com> usb: gadget: udc-xilinx: replace memcpy with memcpy_toio Prashanth K <quic_prashk(a)quicinc.com> usb: typec: ucsi: Clear EVENT_PENDING bit if ucsi_send_command fails RD Babiera <rdbabiera(a)google.com> usb: typec: altmodes/displayport: Signal hpd low when exiting mode Heikki Krogerus <heikki.krogerus(a)linux.intel.com> usb: typec: ucsi: Fix missing link removal Jiexun Wang <wangjiexun(a)tinylab.org> RISC-V: Fix wrong use of CONFIG_HAVE_SOFTIRQ_ON_OWN_STACK Song Shuai <songshuaishuai(a)tinylab.org> riscv: Remove duplicate objcopy flag Linu Cherian <lcherian(a)marvell.com> coresight: Fix run time warnings while reusing ETR buffer Dharma Balasubiramani <dharma.b(a)microchip.com> counter: microchip-tcb-capture: Fix the use of internal GCLK logic Fabrice Gasnier <fabrice.gasnier(a)foss.st.com> counter: chrdev: fix getting array extensions Björn Töpel <bjorn(a)rivosinc.com> riscv: Only consider swbp/ss handlers for correct privileged mode Peter Wang <peter.wang(a)mediatek.com> scsi: ufs: core: Correct clear TM error log Dmitry Torokhov <dmitry.torokhov(a)gmail.com> pinctrl: avoid unsafe code pattern in find_pinctrl() Christian König <christian.koenig(a)amd.com> dma-buf: add dma_fence_timestamp helper Michal Koutný <mkoutny(a)suse.com> cgroup: Remove duplicates in cgroup v1 tasks file Mario Limonciello <mario.limonciello(a)amd.com> usb: typec: ucsi: Use GET_CAPABILITY attributes data to set power supply scope Johan Hovold <johan+linaro(a)kernel.org> power: supply: qcom_battmgr: fix enable request endianness Sebastian Reichel <sebastian.reichel(a)collabora.com> power: supply: qcom_battmgr: fix battery_id type Miquel Raynal <miquel.raynal(a)bootlin.com> can: sja1000: Always restart the Tx queue after an overrun Yanguo Li <yanguo.li(a)corigine.com> nfp: flower: avoid rmmod nfp crash issues Sarthak Kukreti <sarthakkukreti(a)chromium.org> block: Don't invalidate pagecache for invalid falloc modes Jeremy Kerr <jk(a)codeconstruct.com.au> mctp: perform route lookups under a RCU read-side lock Rijo Thomas <Rijo-john.Thomas(a)amd.com> tee: amdtee: fix use-after-free vulnerability in amdtee_close_session Hans de Goede <hdegoede(a)redhat.com> Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case Max Nguyen <maxwell.nguyen(a)hp.com> Input: xpad - add HyperX Clutch Gladiate Support Szilard Fabian <szfabian(a)bluemarch.art> Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table Matthias Berndt <matthias_berndt(a)gmx.de> Input: xpad - add PXN V900 support Jeffery Miller <jefferymiller(a)google.com> Input: psmouse - fix fast_reconnect function for PS/2 mode Javier Carrasco <javier.carrasco.cruz(a)gmail.com> Input: powermate - fix use-after-free in powermate_config_complete Dan Carpenter <dan.carpenter(a)linaro.org> ceph: fix type promotion bug on 32bit systems Xiubo Li <xiubli(a)redhat.com> ceph: fix incorrect revoked caps assert in ceph_fill_file_size() Jordan Rife <jrife(a)google.com> libceph: use kernel_connect() Michael Ellerman <mpe(a)ellerman.id.au> powerpc/47x: Fix 47x syscall return crash Athira Rajeev <atrajeev(a)linux.vnet.ibm.com> powerpc/pseries: Fix STK_PARAM access in the hcall tracing code Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Restart XDomain discovery handshake after failure Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Correct TMU mode initialization from hardware Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge Jorge Sanjuan Garcia <jorge.sanjuangarcia(a)duagon.com> mcb: remove is_added flag from mcb_device struct Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> x86/alternatives: Disable KASAN in apply_alternatives() Borislav Petkov (AMD) <bp(a)alien8.de> x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs JP Kobryn <inwardvessel(a)gmail.com> perf/x86/lbr: Filter vsyscall addresses Namjae Jeon <linkinjeon(a)kernel.org> ksmbd: not allow to open file if delelete on close bit is set Carlos Llamas <cmllamas(a)google.com> binder: fix memory leaks of spam and pending work Tony Lindgren <tony(a)atomide.com> serial: core: Fix checks for tx runtime PM state Tony Lindgren <tony(a)atomide.com> serial: 8250_omap: Fix errors with no_console_suspend Lukas Wunner <lukas(a)wunner.de> serial: Reduce spinlocked portion of uart_rs485_config() Hans de Goede <hdegoede(a)redhat.com> ACPI: EC: Add quirk for the HP Pavilion Gaming 15-dk1xxx Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Add TongFang GM6BGEQ, GM6BG5Q and GM6BG0Q to irq1_edge_low_force_override[] Hans de Goede <hdegoede(a)redhat.com> ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA Zack Rusin <zackr(a)vmware.com> drm/vmwgfx: Keep a gem reference to user bos in surfaces Daniel Miess <daniel.miess(a)amd.com> drm/amd/display: Don't set dpms_off for seamless boot Christian König <christian.koenig(a)amd.com> drm/amdgpu: add missing NULL check Simon Ser <contact(a)emersion.fr> drm/atomic-helper: relax unregistered connector check Joey Gouly <joey.gouly(a)arm.com> drm/tiny: correctly print `struct resource *` on error Matthew Wilcox (Oracle) <willy(a)infradead.org> drm: Do not overrun array in drm_gem_get_pages() Macpaul Lin <macpaul.lin(a)mediatek.com> arm64: dts: mediatek: mt8195-demo: update and reorder reserved memory regions Macpaul Lin <macpaul.lin(a)mediatek.com> arm64: dts: mediatek: mt8195-demo: fix the memory size to 8GB Hans de Goede <hdegoede(a)redhat.com> media: subdev: Don't report V4L2_SUBDEV_CAP_STREAMS when the streams API is disabled Antoniu Miclaus <antoniu.miclaus(a)analog.com> iio: addac: Kconfig: update ad74413r selections Alisa-Dariana Roman <alisa.roman(a)analog.com> iio: adc: ad7192: Correct reference voltage Alexander Zangerl <az(a)breathe-safe.com> iio: pressure: ms5611: ms5611_prom_is_valid false negative bug Lakshmi Yadlapati <lakshmiy(a)us.ibm.com> iio: pressure: dps310: Adjust Timeout Settings Antoniu Miclaus <antoniu.miclaus(a)analog.com> iio: admv1013: add mixer_vgate corner cases Marcelo Schmitt <marcelo.schmitt1(a)gmail.com> iio: dac: ad3552r: Correct device IDs Philipp Rossak <embed3d(a)gmail.com> iio: adc: imx8qxp: Fix address for command buffer registers Tzung-Bi Shih <tzungbi(a)kernel.org> iio: cros_ec: fix an use-after-free in cros_ec_sensors_push_data() Jonathan Cameron <Jonathan.Cameron(a)huawei.com> iio: imu: bno055: Fix missing Kconfig dependencies Phil Elwell <phil(a)raspberrypi.com> iio: pressure: bmp280: Fix NULL pointer exception Xingxing Luo <xingxing.luo(a)unisoc.com> usb: musb: Modify the "HWVers" register address Xingxing Luo <xingxing.luo(a)unisoc.com> usb: musb: Get the musb_qh poniter after musb_giveback Ricardo Cañuelo <ricardo.canuelo(a)collabora.com> usb: hub: Guard against accesses to uninitialized BOS descriptors Xiaolei Wang <xiaolei.wang(a)windriver.com> usb: cdns3: Modify the return value of cdns_set_active () to void when CONFIG_PM_SLEEP is disabled Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: dwc3: Soft reset phy on probe for host Javier Carrasco <javier.carrasco.cruz(a)gmail.com> net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read Lukas Wunner <lukas(a)wunner.de> xhci: Preserve RsvdP bits in ERSTBA register correctly Lukas Wunner <lukas(a)wunner.de> xhci: Clear EHB bit only at end of interrupt handler Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: track port suspend state correctly in unsuccessful resume cases Wesley Cheng <quic_wcheng(a)quicinc.com> usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer Amelie Delaunay <amelie.delaunay(a)foss.st.com> dmaengine: stm32-mdma: set in_flight_bytes in case CRQA flag is set Amelie Delaunay <amelie.delaunay(a)foss.st.com> dmaengine: stm32-mdma: use Link Address Register to compute residue Amelie Delaunay <amelie.delaunay(a)foss.st.com> dmaengine: stm32-dma: fix residue in case of MDMA chaining Amelie Delaunay <amelie.delaunay(a)foss.st.com> dmaengine: stm32-dma: fix stm32_dma_prep_slave_sg in case of MDMA chaining Amelie Delaunay <amelie.delaunay(a)foss.st.com> dmaengine: stm32-mdma: abort resume if no ongoing transfer Amir Goldstein <amir73il(a)gmail.com> ovl: temporarily disable appending lowedirs Andy Chiu <andy.chiu(a)sifive.com> riscv: signal: fix sigaltstack frame size checking Waiman Long <longman(a)redhat.com> workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask() Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> rswitch: Fix imbalance phy_power_off() calling Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> rswitch: Fix renesas_eth_sw_remove() implementation Ratheesh Kannoth <rkannoth(a)marvell.com> octeontx2-pf: Fix page pool frag allocation warning Jeremy Cline <jeremy(a)jcline.org> nfc: nci: assert requested protocol is valid Kuniyuki Iwashima <kuniyu(a)amazon.com> af_packet: Fix fortified memcpy() without flex array. Ralph Siemsen <ralph.siemsen(a)linaro.org> pinctrl: renesas: rzn1: Enable missing PINMUX Jakub Kicinski <kuba(a)kernel.org> net: tcp: fix crashes trying to free half-baked MTU probes Nils Hoppmann <niho(a)linux.ibm.com> net/smc: Fix pos miscalculation in statistics Kory Maincent <kory.maincent(a)bootlin.com> ethtool: Fix mod state of verbose no_mask bitset Eric Dumazet <edumazet(a)google.com> net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Fix unwinding past the trampoline Ilya Leoshkevich <iii(a)linux.ibm.com> s390/bpf: Fix clobbering the caller's backchain in the trampoline Will Mortensen <will(a)extrahop.com> net/mlx5e: Again mutually exclude RX-FCS and RX-port-timestamp Gerd Bayer <gbayer(a)linux.ibm.com> net/smc: Fix dependency of SMC on ISM Dan Carpenter <dan.carpenter(a)linaro.org> ixgbe: fix crash with empty VF macvlan list Ruihai Zhou <zhouruihai(a)huaqin.corp-partner.google.com> drm/panel: boe-tv101wum-nl6: Completely pull GPW to VGL before TP term Radu Pirea (NXP OSS) <radu-nicolae.pirea(a)oss.nxp.com> net/mlx5e: macsec: use update_pn flag instead of PN comparation Radu Pirea (NXP OSS) <radu-nicolae.pirea(a)oss.nxp.com> net: phy: mscc: macsec: reject PN update requests Radu Pirea (NXP OSS) <radu-nicolae.pirea(a)oss.nxp.com> net: macsec: indicate next pn update when offloading Radu Pirea (NXP OSS) <radu-nicolae.pirea(a)oss.nxp.com> octeontx2-pf: mcs: update PN only when update_pn is true Eric Dumazet <edumazet(a)google.com> net: refine debug info in skb_checksum_help() David Vernet <void(a)manifault.com> bpf: Fix verifier log for async callback return values Konstantin Meskhidze <konstantin.meskhidze(a)huawei.com> drm/vmwgfx: fix typo of sizeof argument Andrew Kanner <andrew.kanner(a)gmail.com> xdp: Fix zero-size allocation warning in xskq_create() Björn Töpel <bjorn(a)rivosinc.com> riscv, bpf: Track both a0 (RISC-V ABI) and a5 (BPF) return values Björn Töpel <bjorn(a)rivosinc.com> riscv, bpf: Sign-extend return values Roger Pau Monne <roger.pau(a)citrix.com> xen-netback: use default TX queue size for vifs Dan Carpenter <dan.carpenter(a)linaro.org> mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type Dinghao Liu <dinghao.liu(a)zju.edu.cn> ieee802154: ca8210: Fix a potential UAF in ca8210_probe Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> ravb: Fix use-after-free issue in ravb_tx_timeout_work() Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> ravb: Fix up dma_free_coherent() call in ravb_remove() Moshe Shemesh <moshe(a)nvidia.com> devlink: Hold devlink lock on health reporter dump get Nícolas F. R. A. Prado <nfraprado(a)collabora.com> arm64: dts: mediatek: mt8195: Set DSU PMU status to fail Eugen Hristev <eugen.hristev(a)collabora.com> arm64: dts: mediatek: fix t-phy unit name John Watts <contact(a)jookia.org> can: sun4i_can: Only show Kconfig if ARCH_SUNXI is set Lukas Magel <lukas.magel(a)posteo.net> can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior Marek Behún <kabel(a)kernel.org> net: dsa: qca8k: fix potential MDIO bus conflict when accessing internal PHYs via management frames Marek Behún <kabel(a)kernel.org> net: dsa: qca8k: fix regmap bulk read/write methods on big endian systems Vladimir Oltean <vladimir.oltean(a)nxp.com> phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers Vladimir Oltean <vladimir.oltean(a)nxp.com> phy: lynx-28g: lock PHY while performing CDR lock workaround Ioana Ciornei <ioana.ciornei(a)nxp.com> phy: lynx-28g: cancel the CDR check work item on the remove path Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dpu: fail dpu_plane_atomic_check() based on mdp clk limits Stephen Boyd <swboyd(a)chromium.org> drm/msm/dp: Add newlines to debug printks Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow Dan Carpenter <dan.carpenter(a)linaro.org> drm/msm/dsi: fix irq_of_parse_and_map() error checking Abhinav Kumar <quic_abhinavk(a)quicinc.com> drm/msm/dsi: skip the wait for video mode done if not applicable Kuogee Hsieh <quic_khsieh(a)quicinc.com> drm/msm/dp: do not reinitialize phy unless retry during link training Hal Feng <hal.feng(a)starfivetech.com> pinctrl: starfive: jh7110: Fix failure to set irq after CONFIG_PM is enabled Mikhail Kobuk <m.kobuk(a)ispras.ru> pinctrl: nuvoton: wpcm450: fix out of bounds write Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - ALC287 merge RTK codec with CS CS35L41 AMP Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - ALC287 I2S speaker platform support Fabian Vogt <fabian(a)ritter-vogt.de> ALSA: hda/realtek: Add quirk for mute LEDs on HP ENVY x360 15-eu0xxx SungHwan Jung <onenowy(a)gmail.com> ALSA: hda/realtek: Add quirk for HP Victus 16-d1xxx to enable mute LED Balamurugan C <balamurugan.c(a)intel.com> ASoC: Intel: soc-acpi: Add entry for sof_es8336 in MTL match table. Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: Intel: sof_sdw: add support for SKU 0B14 Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_sai: Don't disable bitclock for i.MX8MP Balamurugan C <balamurugan.c(a)intel.com> ASoC: Intel: soc-acpi: Add entry for HDMI_In capture support in MTL match table Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: Intel: soc-acpi: fix Dell SKU 0B34 Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: simple-card-utils: fixup simple_util_startup() error handling Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ASoC: SOF: amd: fix for firmware reload failure after playback Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek: Change model for Intel RVP board Stefan Binding <sbinding(a)opensource.cirrus.com> ALSA: hda: cs35l41: Cleanup and fix double free in firmware request Christos Skevis <xristos.thes(a)gmail.com> ALSA: usb-audio: Fix microphone sound on Nexigo webcam. WhaleChang <whalechang(a)google.com> ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset Sumit Garg <sumit.garg(a)linaro.org> KEYS: trusted: Remove redundant static calls usage Biju Das <biju.das.jz(a)bp.renesas.com> irqchip: renesas-rzg2l: Fix logic to clear TINT interrupt source Lad Prabhakar <prabhakar.mahadev-lad.rj(a)bp.renesas.com> dt-bindings: interrupt-controller: renesas,rzg2l-irqc: Update description for '#interrupt-cells' property Dmitry Baryshkov <dmitry.baryshkov(a)linaro.org> arm64: dts: qcom: sm8150: extend the size of the PDC resource Jordan Rife <jrife(a)google.com> net: prevent address rewrite in kernel_bind() Damien Le Moal <dlemoal(a)kernel.org> ata: libata-scsi: Disable scsi device manage_system_start_stop Matthias Reichl <hias(a)horus.com> ASoC: hdmi-codec: Fix broken channel map reporting Sven Frotscher <sven.frotscher(a)gmail.com> ASoC: amd: yc: Fix non-functional mic on Lenovo 82YM Herbert Xu <herbert(a)gondor.apana.org.au> dm crypt: Fix reqsize in crypt_iv_eboiv_gen Jan Kara <jack(a)suse.cz> quota: Fix slow quotaoff Hans de Goede <hdegoede(a)redhat.com> HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect Ondrej Zary <linux(a)zary.sk> ata: pata_parport: implement set_devctl Ondrej Zary <linux(a)zary.sk> ata: pata_parport: fix pata_parport_devchk Damien Le Moal <dlemoal(a)kernel.org> scsi: Do not rescan devices with a suspended queue Samson Tam <samson.tam(a)amd.com> drm/amd/display: apply edge-case DISPCLK WDIVIDER changes to master OTG pipes only Wenjing Liu <wenjing.liu(a)amd.com> drm/amd/display: implement pipe type definition and adding accessors Fabio Estevam <festevam(a)denx.de> media: dt-bindings: imx7-csi: Make power-domains not required for imx8mq Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent section mismatch warning Luben Tuikov <luben.tuikov(a)amd.com> drm/amdgpu: Fix a memory leak Oza Pawandeep <quic_poza(a)quicinc.com> cpuidle, ACPI: Evaluate LPI arch_flags for broadcast timer Mathias Krause <minipli(a)grsecurity.net> drm/i915: Register engines early to avoid type confusion Armin Wolf <W_Armin(a)gmx.de> platform/x86: think-lmi: Fix reference leak Jing Zhang <renyu.zj(a)linux.alibaba.com> perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7 Artem Chernyshev <artem.chernyshev(a)red-soft.ru> RDMA/cxgb4: Check skb value for failure to allocate Remi Pommarel <repk(a)triplefau.lt> net: stmmac: remove unneeded stmmac_poll_controller ------------- Diffstat: .../interrupt-controller/renesas,rzg2l-irqc.yaml | 5 +- .../devicetree/bindings/media/nxp,imx7-csi.yaml | 1 - Documentation/filesystems/overlayfs.rst | 12 ++ Makefile | 4 +- arch/arm64/boot/dts/mediatek/mt7622.dtsi | 2 +- arch/arm64/boot/dts/mediatek/mt7986a.dtsi | 2 +- arch/arm64/boot/dts/mediatek/mt8195-demo.dts | 39 +++++-- arch/arm64/boot/dts/mediatek/mt8195.dtsi | 1 + arch/arm64/boot/dts/qcom/sm8150.dtsi | 2 +- arch/arm64/include/asm/acpi.h | 20 ++++ arch/powerpc/include/asm/nohash/32/pte-8xx.h | 7 ++ arch/powerpc/include/asm/nohash/64/pgtable.h | 2 +- arch/powerpc/include/asm/nohash/pgtable.h | 2 + arch/powerpc/kernel/entry_32.S | 8 +- arch/powerpc/platforms/pseries/hvCall.S | 4 +- arch/riscv/Makefile | 1 - arch/riscv/include/asm/kprobes.h | 11 +- arch/riscv/include/asm/uprobes.h | 13 ++- arch/riscv/kernel/irq.c | 4 +- arch/riscv/kernel/signal.c | 7 -- arch/riscv/kernel/traps.c | 28 +++-- arch/riscv/net/bpf_jit_comp64.c | 18 ++- arch/s390/net/bpf_jit_comp.c | 25 +++- arch/x86/events/utils.c | 5 +- arch/x86/include/asm/msr-index.h | 9 +- arch/x86/include/asm/smp.h | 2 - arch/x86/kernel/alternative.c | 13 +++ arch/x86/kernel/cpu/amd.c | 8 ++ arch/x86/kernel/smp.c | 39 ++----- arch/x86/kernel/smpboot.c | 27 ----- block/fops.c | 21 +++- drivers/acpi/ec.c | 11 ++ drivers/acpi/processor_idle.c | 3 +- drivers/acpi/resource.c | 26 ++++- drivers/android/binder.c | 2 + drivers/ata/libata-core.c | 90 +++++++++++++++ drivers/ata/libata-eh.c | 54 ++++++++- drivers/ata/libata-scsi.c | 16 ++- drivers/ata/libata.h | 2 + drivers/ata/pata_parport/pata_parport.c | 10 +- drivers/counter/counter-chrdev.c | 4 +- drivers/counter/microchip-tcb-capture.c | 2 +- drivers/dma-buf/dma-fence-unwrap.c | 13 +-- drivers/dma-buf/sync_file.c | 9 +- drivers/dma/idxd/device.c | 5 +- drivers/dma/mediatek/mtk-uart-apdma.c | 3 +- drivers/dma/stm32-dma.c | 11 +- drivers/dma/stm32-mdma.c | 33 ++++-- drivers/gpu/drm/amd/amdgpu/amdgpu_fru_eeprom.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_object.h | 2 +- .../amd/display/dc/clk_mgr/dcn20/dcn20_clk_mgr.c | 4 +- .../amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c | 4 +- drivers/gpu/drm/amd/display/dc/core/dc.c | 3 + drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 35 ++++++ drivers/gpu/drm/amd/display/dc/inc/resource.h | 106 +++++++++++++++++ drivers/gpu/drm/drm_atomic_helper.c | 17 ++- drivers/gpu/drm/drm_gem.c | 6 +- drivers/gpu/drm/i915/i915_gem.c | 9 +- drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c | 27 +++-- drivers/gpu/drm/msm/dp/dp_ctrl.c | 13 +-- drivers/gpu/drm/msm/dp/dp_link.c | 4 +- drivers/gpu/drm/msm/dsi/dsi_host.c | 19 +++- drivers/gpu/drm/panel/panel-boe-tv101wum-nl6.c | 4 +- drivers/gpu/drm/scheduler/sched_main.c | 2 +- drivers/gpu/drm/tiny/simpledrm.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 7 +- drivers/gpu/drm/vmwgfx/vmwgfx_bo.h | 17 ++- drivers/gpu/drm/vmwgfx/vmwgfx_cotable.c | 6 +- drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 4 + drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 12 +- drivers/gpu/drm/vmwgfx/vmwgfx_gem.c | 18 ++- drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 6 +- drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 12 +- drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 4 +- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 31 ++--- drivers/hid/hid-logitech-hidpp.c | 3 +- drivers/hwtracing/coresight/coresight-tmc-etr.c | 24 ++-- drivers/iio/adc/ad7192.c | 29 ++++- drivers/iio/adc/imx8qxp-adc.c | 4 +- drivers/iio/addac/Kconfig | 2 + .../common/cros_ec_sensors/cros_ec_sensors_core.c | 6 +- drivers/iio/dac/ad3552r.c | 4 +- drivers/iio/frequency/admv1013.c | 4 +- drivers/iio/imu/bno055/Kconfig | 2 + drivers/iio/pressure/bmp280-core.c | 2 +- drivers/iio/pressure/dps310.c | 8 +- drivers/iio/pressure/ms5611_core.c | 2 +- drivers/infiniband/hw/cxgb4/cm.c | 3 + drivers/input/joystick/xpad.c | 4 + drivers/input/misc/powermate.c | 1 + drivers/input/mouse/elantech.c | 1 + drivers/input/mouse/synaptics.c | 1 + drivers/input/serio/i8042-acpipnpio.h | 8 ++ drivers/input/touchscreen/goodix.c | 19 ++++ drivers/irqchip/irq-renesas-rzg2l.c | 2 +- drivers/mcb/mcb-core.c | 10 +- drivers/mcb/mcb-parse.c | 2 - drivers/md/dm-crypt.c | 3 +- drivers/media/v4l2-core/v4l2-subdev.c | 7 ++ drivers/net/can/Kconfig | 2 +- drivers/net/can/sja1000/sja1000.c | 8 +- drivers/net/dsa/qca/qca8k-8xxx.c | 15 ++- drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c | 5 +- .../ethernet/marvell/octeontx2/nic/cn10k_macsec.c | 13 ++- .../ethernet/marvell/octeontx2/nic/otx2_common.c | 1 + .../ethernet/mellanox/mlx5/core/en_accel/macsec.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +- .../ethernet/mellanox/mlxsw/spectrum_nve_vxlan.c | 4 +- drivers/net/ethernet/netronome/nfp/flower/cmsg.c | 10 +- .../net/ethernet/netronome/nfp/flower/conntrack.c | 19 +++- drivers/net/ethernet/netronome/nfp/flower/main.h | 2 + .../net/ethernet/netronome/nfp/flower/metadata.c | 2 + .../net/ethernet/netronome/nfp/flower/offload.c | 24 +++- .../net/ethernet/netronome/nfp/flower/qos_conf.c | 20 ++-- drivers/net/ethernet/renesas/ravb_main.c | 6 +- drivers/net/ethernet/renesas/rswitch.c | 12 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 30 ----- drivers/net/ieee802154/ca8210.c | 17 +-- drivers/net/macsec.c | 2 + drivers/net/phy/mscc/mscc_macsec.c | 6 + drivers/net/usb/dm9601.c | 7 +- drivers/net/xen-netback/interface.c | 4 - drivers/perf/arm-cmn.c | 2 +- drivers/phy/freescale/phy-fsl-lynx-28g.c | 27 ++++- drivers/pinctrl/core.c | 16 +-- drivers/pinctrl/nuvoton/pinctrl-wpcm450.c | 6 +- drivers/pinctrl/renesas/Kconfig | 1 + drivers/pinctrl/starfive/pinctrl-starfive-jh7110.c | 2 - drivers/platform/x86/hp/hp-wmi.c | 8 +- drivers/platform/x86/think-lmi.c | 24 +++- drivers/power/supply/qcom_battmgr.c | 8 +- drivers/s390/net/Kconfig | 2 +- drivers/scsi/scsi_scan.c | 11 +- drivers/tee/amdtee/core.c | 10 +- drivers/thunderbolt/icm.c | 40 +++---- drivers/thunderbolt/switch.c | 7 ++ drivers/thunderbolt/tmu.c | 2 +- drivers/thunderbolt/xdomain.c | 58 +++++++--- drivers/tty/serial/8250/8250_omap.c | 25 ++-- drivers/tty/serial/serial_core.c | 15 ++- drivers/ufs/core/ufshcd.c | 2 +- drivers/usb/cdns3/cdnsp-gadget.c | 3 + drivers/usb/cdns3/core.h | 3 +- drivers/usb/core/hub.c | 25 +++- drivers/usb/core/hub.h | 2 +- drivers/usb/dwc3/core.c | 39 ++++++- drivers/usb/gadget/function/f_ncm.c | 26 +++-- drivers/usb/gadget/udc/udc-xilinx.c | 20 ++-- drivers/usb/host/xhci-hub.c | 19 ++-- drivers/usb/host/xhci-mem.c | 4 +- drivers/usb/host/xhci-ring.c | 16 +-- drivers/usb/host/xhci.h | 2 +- drivers/usb/misc/onboard_usb_hub.c | 1 + drivers/usb/misc/onboard_usb_hub.h | 1 + drivers/usb/musb/musb_debugfs.c | 2 +- drivers/usb/musb/musb_host.c | 9 +- drivers/usb/typec/altmodes/displayport.c | 5 + .../usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 12 +- drivers/usb/typec/ucsi/psy.c | 9 ++ drivers/usb/typec/ucsi/ucsi.c | 2 + fs/ceph/file.c | 2 +- fs/ceph/inode.c | 4 +- fs/file.c | 3 +- fs/fs_context.c | 46 ++++++-- fs/ioctl.c | 10 +- fs/kernel_read_file.c | 12 +- fs/namei.c | 3 + fs/open.c | 4 +- fs/overlayfs/ovl_entry.h | 10 +- fs/overlayfs/params.c | 126 ++++++++++----------- fs/overlayfs/super.c | 18 +-- fs/quota/dquot.c | 66 ++++++----- fs/smb/server/vfs_cache.c | 4 +- include/linux/acpi.h | 9 ++ include/linux/dma-fence.h | 19 ++++ include/linux/fs_context.h | 2 + include/linux/libata.h | 6 +- include/linux/mcb.h | 1 - include/linux/quota.h | 4 +- include/linux/quotaops.h | 2 +- include/net/macsec.h | 1 + include/uapi/linux/if_packet.h | 6 +- kernel/bpf/verifier.c | 6 +- kernel/cgroup/cgroup-v1.c | 5 +- kernel/workqueue.c | 8 +- net/can/isotp.c | 19 ++-- net/ceph/messenger.c | 4 +- net/core/dev.c | 8 +- net/devlink/health.c | 30 ++--- net/ethtool/bitset.c | 32 +++++- net/ipv4/tcp_output.c | 1 + net/mctp/route.c | 22 +++- net/netfilter/ipvs/ip_vs_sync.c | 4 +- net/nfc/llcp_core.c | 30 ++--- net/nfc/nci/core.c | 5 + net/packet/af_packet.c | 7 +- net/rds/tcp_connect.c | 2 +- net/rds/tcp_listen.c | 2 +- net/smc/Kconfig | 1 + net/smc/smc_stats.h | 14 ++- net/socket.c | 6 +- net/xdp/xsk_queue.c | 10 ++ security/keys/trusted-keys/trusted_core.c | 13 +-- sound/pci/hda/cs35l41_hda.c | 115 +++++++++++++------ sound/pci/hda/patch_realtek.c | 89 +++++++++++++-- sound/soc/amd/yc/acp6x-mach.c | 7 ++ sound/soc/codecs/hdmi-codec.c | 5 +- sound/soc/fsl/fsl_sai.c | 9 +- sound/soc/generic/simple-card-utils.c | 3 +- sound/soc/intel/boards/sof_es8336.c | 10 ++ sound/soc/intel/boards/sof_sdw.c | 10 ++ sound/soc/intel/common/soc-acpi-intel-adl-match.c | 12 +- sound/soc/intel/common/soc-acpi-intel-mtl-match.c | 25 ++++ sound/soc/sof/amd/pci-rmb.c | 1 - sound/usb/mixer.c | 7 ++ sound/usb/quirks.c | 8 +- 217 files changed, 1897 insertions(+), 837 deletions(-)

2 years

7
6
0 0

Qemu-arm64: kvm-unit-tests: WARNING: at kernel/events/core.c:244 event_function

by Naresh Kamboju

Following kernel warning noticed while running kvm-unit-tests on qemu-arm64 running stable-rc 6.1.56 kernel. This kernel warning occurs intermittently on qemu-arm64 with kernel command line option "kvm-arm.mode=protected". Boot log: [ 0.000000] Linux version 6.1.56 (tuxmake@tuxmake) (aarch64-linux-gnu-gcc (Debian 13.2.0-2) 13.2.0, GNU ld (GNU Binutils for Debian) 2.41) #1 SMP PREEMPT @1696601727 [ 0.000000] random: crng init done [ 0.000000] Machine model: linux,dummy-virt ... <6>[ 0.204459] CPU features: detected: Protected KVM ... <6>[ 1.439501] kvm [1]: IPA Size Limit: 48 bits <6>[ 1.620529] kvm [1]: GICv3: no GICV resource entry <6>[ 1.623060] kvm [1]: disabling GICv2 emulation <6>[ 1.624247] kvm [1]: GIC system register CPU interface enabled <6>[ 1.626934] kvm [1]: vgic interrupt IRQ9 <6>[ 1.632519] kvm [1]: Protected nVHE mode initialized successfully Test log: --------- + ./run_tests.sh -a -v + tee -a /lava-1/0/tests/0_kvm-unit-tests/automated/linux/kvm-unit-tests/output/result_log.txt <31>[ 68.843857] systemd[1]: systemd-udevd.service: Got notification message from PID 226 (WATCHDOG=1) <31>[ 97.299940] systemd[1]: Received SIGCHLD from PID 351 (bash). <31>[ 97.320211] systemd[1]: Child 351 (bash) died (code=exited, status=0/SUCCESS) <31>[ 97.352577] systemd[1]: Child 352 (grep) died (code=exited, status=1/FAILURE) <4>[ 100.375043] ------------[ cut here ]------------ <4>[ 100.376812] WARNING: CPU: 0 PID: 356 at kernel/events/core.c:244 event_function (kernel/events/core.c:244 (discriminator 1)) <4>[ 100.378656] Modules linked in: fuse drm dm_mod ip_tables x_tables <4>[ 100.381530] CPU: 0 PID: 356 Comm: qemu-system-aar Not tainted 6.1.56 #1 <4>[ 100.382823] Hardware name: linux,dummy-virt (DT) <4>[ 100.384931] pstate: 624000c5 (nZCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) <4>[ 100.386199] pc : event_function (kernel/events/core.c:244 (discriminator 1)) <4>[ 100.387840] lr : event_function (kernel/events/core.c:168 kernel/events/core.c:226) <4>[ 100.388527] sp : ffff80000858b750 <4>[ 100.389629] x29: ffff80000858b750 x28: 0000000000000000 x27: ffffad552ce81c00 <4>[ 100.391419] x26: ffff0000c4f90000 x25: ffff80000858b8d0 x24: ffff0000c4f90000 <4>[ 100.392473] x23: ffff0000ff7ba9e8 x22: 0000000000000000 x21: ffff0000c3ddca00 <4>[ 100.393558] x20: ffff80000858b8d0 x19: ffff0000ff7ba9e0 x18: 0000000000000000 <4>[ 100.394601] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 <4>[ 100.395660] x14: 0000000000000000 x13: ffff0000c03a0031 x12: 3430376239633038 <4>[ 100.396686] x11: 0000002042c35bc1 x10: aff705512bd33e45 x9 : ffffad552df9bb24 <4>[ 100.397603] x8 : ffff80000858b708 x7 : 0000000000000000 x6 : 0000000000000001 <4>[ 100.398525] x5 : ffff80000858c000 x4 : ffff800008588000 x3 : 0000000000000000 <4>[ 100.399502] x2 : 0000000000000001 x1 : ffff0000c4d21080 x0 : 0000000000000000 <4>[ 100.400742] Call trace: <4>[ 100.401070] event_function (kernel/events/core.c:244 (discriminator 1)) <4>[ 100.401781] remote_function (kernel/events/core.c:92 (discriminator 1) kernel/events/core.c:72 (discriminator 1)) <4>[ 100.402355] generic_exec_single (arch/arm64/include/asm/irqflags.h:85 kernel/smp.c:522) <4>[ 100.403777] smp_call_function_single (kernel/smp.c:773) <4>[ 100.404283] event_function_call (kernel/events/core.c:123 kernel/events/core.c:289) <4>[ 100.405433] perf_event_disable (kernel/events/core.c:1321 kernel/events/core.c:2499) <4>[ 100.405816] kvm_pmu_probe_armpmu (arch/arm64/kvm/pmu-emul.c:711) <4>[ 100.406563] kvm_arm_pmu_v3_set_attr (arch/arm64/kvm/pmu-emul.c:890 (discriminator 1)) <4>[ 100.407333] kvm_arm_vcpu_arch_set_attr (arch/arm64/kvm/guest.c:955) <4>[ 100.407774] kvm_arch_vcpu_ioctl (arch/arm64/kvm/arm.c:1386 (discriminator 1)) <4>[ 100.408360] kvm_vcpu_ioctl (arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4081) <4>[ 100.409176] __arm64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856) <4>[ 100.409796] invoke_syscall (arch/arm64/include/asm/current.h:19 arch/arm64/kernel/syscall.c:57) <4>[ 100.410395] el0_svc_common.constprop.0 (arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/syscall.c:150) <4>[ 100.411070] do_el0_svc (arch/arm64/kernel/syscall.c:207) <4>[ 100.411603] el0_svc (arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:142 arch/arm64/kernel/entry-common.c:638) <4>[ 100.412158] el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:656) <4>[ 100.412574] el0t_64_sync (arch/arm64/kernel/entry.S:581) <4>[ 100.413766] ---[ end trace 0000000000000000 ]--- <4>[ 100.414762] ------------[ cut here ]------------ <4>[ 100.415317] WARNING: CPU: 0 PID: 356 at kernel/events/core.c:249 event_function (kernel/events/core.c:249 (discriminator 1)) <4>[ 100.416404] Modules linked in: fuse drm dm_mod ip_tables x_tables <4>[ 100.417743] CPU: 0 PID: 356 Comm: qemu-system-aar Tainted: G W 6.1.56 #1 <4>[ 100.418745] Hardware name: linux,dummy-virt (DT) <4>[ 100.419503] pstate: a24000c5 (NzCv daIF +PAN -UAO +TCO -DIT -SSBS BTYPE=--) <4>[ 100.420538] pc : event_function (kernel/events/core.c:249 (discriminator 1)) <4>[ 100.421156] lr : event_function (kernel/events/core.c:168 kernel/events/core.c:226) <4>[ 100.422364] sp : ffff80000858b750 <4>[ 100.422967] x29: ffff80000858b750 x28: 0000000000000000 x27: ffffad552ce81c00 <4>[ 100.424161] x26: ffff0000c4f90000 x25: ffff80000858b8d0 x24: ffff0000c4f90000 <4>[ 100.424839] x23: ffff0000ff7ba9e8 x22: 0000000000000000 x21: ffff0000c3ddca00 <4>[ 100.425502] x20: ffff80000858b8d0 x19: ffff0000ff7ba9e0 x18: 0000000000000000 <4>[ 100.426185] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 <4>[ 100.428958] x14: 0000000000000000 x13: ffff0000c03a0031 x12: 3430376239633038 <4>[ 100.429930] x11: 0000002042c35bc1 x10: aff705512bd33e45 x9 : ffffad552df9bb24 <4>[ 100.430938] x8 : ffff80000858b708 x7 : 0000000000000000 x6 : 0000000000000001 <4>[ 100.431829] x5 : ffff80000858c000 x4 : ffff800008588000 x3 : 0000000000000000 <4>[ 100.432767] x2 : 0000000000000001 x1 : ffff0000c4d21080 x0 : 0000000000000000 <4>[ 100.433677] Call trace: <4>[ 100.434167] event_function (kernel/events/core.c:249 (discriminator 1)) <4>[ 100.435066] remote_function (kernel/events/core.c:92 (discriminator 1) kernel/events/core.c:72 (discriminator 1)) <4>[ 100.435497] generic_exec_single (arch/arm64/include/asm/irqflags.h:85 kernel/smp.c:522) <4>[ 100.435875] smp_call_function_single (kernel/smp.c:773) <4>[ 100.436758] event_function_call (kernel/events/core.c:123 kernel/events/core.c:289) <4>[ 100.437374] perf_event_disable (kernel/events/core.c:1321 kernel/events/core.c:2499) <4>[ 100.438024] kvm_pmu_probe_armpmu (arch/arm64/kvm/pmu-emul.c:711) <4>[ 100.438834] kvm_arm_pmu_v3_set_attr (arch/arm64/kvm/pmu-emul.c:890 (discriminator 1)) <4>[ 100.439329] kvm_arm_vcpu_arch_set_attr (arch/arm64/kvm/guest.c:955) <4>[ 100.439981] kvm_arch_vcpu_ioctl (arch/arm64/kvm/arm.c:1386 (discriminator 1)) <4>[ 100.440393] kvm_vcpu_ioctl (arch/arm64/kvm/../../../virt/kvm/kvm_main.c:4081) <4>[ 100.441150] __arm64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:870 fs/ioctl.c:856 fs/ioctl.c:856) <4>[ 100.441766] invoke_syscall (arch/arm64/include/asm/current.h:19 arch/arm64/kernel/syscall.c:57) <4>[ 100.442312] el0_svc_common.constprop.0 (arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/syscall.c:150) <4>[ 100.442801] do_el0_svc (arch/arm64/kernel/syscall.c:207) <4>[ 100.443590] el0_svc (arch/arm64/include/asm/daifflags.h:28 arch/arm64/kernel/entry-common.c:133 arch/arm64/kernel/entry-common.c:142 arch/arm64/kernel/entry-common.c:638) <4>[ 100.444125] el0t_64_sync_handler (arch/arm64/kernel/entry-common.c:656) <4>[ 100.444779] el0t_64_sync (arch/arm64/kernel/entry.S:581) <4>[ 100.445155] ---[ end trace 0000000000000000 ]--- Links: - https://tuxapi.tuxsuite.com/v1/groups/linaro/projects/lkft/tests/2WOQiJhgcc… - https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.1.y/build/v6.1.5… - https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.1.y/build/v6.1.5… Buid: - https://storage.tuxsuite.com/public/linaro/lkft/builds/2WOQgZEtR7bb2LJfBNhO… -- Linaro LKFT https://lkft.linaro.org

2 years

1
0
0 0

[PATCH v2] wifi: wilc1000: use vmm_table as array in wilc struct

by Alexis Lothoré

From: Ajay Singh <ajay.kathat(a)microchip.com> Enabling KASAN and running some iperf tests raises some memory issues with vmm_table: BUG: KASAN: slab-out-of-bounds in wilc_wlan_handle_txq+0x6ac/0xdb4 Write of size 4 at addr c3a61540 by task wlan0-tx/95 KASAN detects that we are writing data beyond range allocated to vmm_table. There is indeed a mismatch between the size passed to allocator in wilc_wlan_init, and the range of possible indexes used later: allocation size is missing a multiplication by sizeof(u32) Fixes: 40b717bfcefa ("wifi: wilc1000: fix DMA on stack objects") Cc: stable(a)vger.kernel.org Signed-off-by: Ajay Singh <ajay.kathat(a)microchip.com> Signed-off-by: Alexis Lothoré <alexis.lothore(a)bootlin.com> --- Changes in v2: - keep dedicated dynamic allocation for vmm_table - Link to v1: https://lore.kernel.org/r/20231013-wilc1000_tx_oops-v1-1-3761beb9524d@bootl… --- drivers/net/wireless/microchip/wilc1000/wlan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/microchip/wilc1000/wlan.c b/drivers/net/wireless/microchip/wilc1000/wlan.c index 58bbf50081e4..e4113f2dfadf 100644 --- a/drivers/net/wireless/microchip/wilc1000/wlan.c +++ b/drivers/net/wireless/microchip/wilc1000/wlan.c @@ -1492,7 +1492,7 @@ int wilc_wlan_init(struct net_device *dev) } if (!wilc->vmm_table) - wilc->vmm_table = kzalloc(WILC_VMM_TBL_SIZE, GFP_KERNEL); + wilc->vmm_table = kzalloc(WILC_VMM_TBL_SIZE * sizeof(u32), GFP_KERNEL); if (!wilc->vmm_table) { ret = -ENOBUFS; --- base-commit: ea12d85cbfd6b08fff40a4fefccc011b6cfadf8e change-id: 20231012-wilc1000_tx_oops-58ce91ee3e93 Best regards, -- Alexis Lothoré, Bootlin Embedded Linux and Kernel engineering https://bootlin.com

2 years

3
5
0 0

[PATCH] bus: mhi: ep: Do not allocate event ring element on stack

by Manivannan Sadhasivam

It is possible that the host controller driver would use DMA framework to write the event ring element. So avoid allocating event ring element on the stack as DMA cannot work on vmalloc memory. Cc: stable(a)vger.kernel.org Fixes: 961aeb689224 ("bus: mhi: ep: Add support for sending events to the host") Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam(a)linaro.org> --- drivers/bus/mhi/ep/main.c | 52 +++++++++++++++++++++++++-------------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/drivers/bus/mhi/ep/main.c b/drivers/bus/mhi/ep/main.c index 600881808982..66ca470bf302 100644 --- a/drivers/bus/mhi/ep/main.c +++ b/drivers/bus/mhi/ep/main.c @@ -71,45 +71,61 @@ static int mhi_ep_send_event(struct mhi_ep_cntrl *mhi_cntrl, u32 ring_idx, static int mhi_ep_send_completion_event(struct mhi_ep_cntrl *mhi_cntrl, struct mhi_ep_ring *ring, struct mhi_ring_element *tre, u32 len, enum mhi_ev_ccs code) { - struct mhi_ring_element event = {}; + struct mhi_ring_element *event = kzalloc(sizeof(struct mhi_ring_element), GFP_KERNEL); + int ret; + + event->ptr = cpu_to_le64(ring->rbase + ring->rd_offset * sizeof(*tre)); + event->dword[0] = MHI_TRE_EV_DWORD0(code, len); + event->dword[1] = MHI_TRE_EV_DWORD1(ring->ch_id, MHI_PKT_TYPE_TX_EVENT); - event.ptr = cpu_to_le64(ring->rbase + ring->rd_offset * sizeof(*tre)); - event.dword[0] = MHI_TRE_EV_DWORD0(code, len); - event.dword[1] = MHI_TRE_EV_DWORD1(ring->ch_id, MHI_PKT_TYPE_TX_EVENT); + ret = mhi_ep_send_event(mhi_cntrl, ring->er_index, event, MHI_TRE_DATA_GET_BEI(tre)); + kfree(event); - return mhi_ep_send_event(mhi_cntrl, ring->er_index, &event, MHI_TRE_DATA_GET_BEI(tre)); + return ret; } int mhi_ep_send_state_change_event(struct mhi_ep_cntrl *mhi_cntrl, enum mhi_state state) { - struct mhi_ring_element event = {}; + struct mhi_ring_element *event = kzalloc(sizeof(struct mhi_ring_element), GFP_KERNEL); + int ret; + + event->dword[0] = MHI_SC_EV_DWORD0(state); + event->dword[1] = MHI_SC_EV_DWORD1(MHI_PKT_TYPE_STATE_CHANGE_EVENT); - event.dword[0] = MHI_SC_EV_DWORD0(state); - event.dword[1] = MHI_SC_EV_DWORD1(MHI_PKT_TYPE_STATE_CHANGE_EVENT); + ret = mhi_ep_send_event(mhi_cntrl, 0, event, 0); + kfree(event); - return mhi_ep_send_event(mhi_cntrl, 0, &event, 0); + return ret; } int mhi_ep_send_ee_event(struct mhi_ep_cntrl *mhi_cntrl, enum mhi_ee_type exec_env) { - struct mhi_ring_element event = {}; + struct mhi_ring_element *event = kzalloc(sizeof(struct mhi_ring_element), GFP_KERNEL); + int ret; + + event->dword[0] = MHI_EE_EV_DWORD0(exec_env); + event->dword[1] = MHI_SC_EV_DWORD1(MHI_PKT_TYPE_EE_EVENT); - event.dword[0] = MHI_EE_EV_DWORD0(exec_env); - event.dword[1] = MHI_SC_EV_DWORD1(MHI_PKT_TYPE_EE_EVENT); + ret = mhi_ep_send_event(mhi_cntrl, 0, event, 0); + kfree(event); - return mhi_ep_send_event(mhi_cntrl, 0, &event, 0); + return ret; } static int mhi_ep_send_cmd_comp_event(struct mhi_ep_cntrl *mhi_cntrl, enum mhi_ev_ccs code) { + struct mhi_ring_element *event = kzalloc(sizeof(struct mhi_ring_element), GFP_KERNEL); struct mhi_ep_ring *ring = &mhi_cntrl->mhi_cmd->ring; - struct mhi_ring_element event = {}; + int ret; + + event->ptr = cpu_to_le64(ring->rbase + ring->rd_offset * sizeof(struct mhi_ring_element)); + event->dword[0] = MHI_CC_EV_DWORD0(code); + event->dword[1] = MHI_CC_EV_DWORD1(MHI_PKT_TYPE_CMD_COMPLETION_EVENT); - event.ptr = cpu_to_le64(ring->rbase + ring->rd_offset * sizeof(struct mhi_ring_element)); - event.dword[0] = MHI_CC_EV_DWORD0(code); - event.dword[1] = MHI_CC_EV_DWORD1(MHI_PKT_TYPE_CMD_COMPLETION_EVENT); + ret = mhi_ep_send_event(mhi_cntrl, 0, event, 0); + kfree(event); - return mhi_ep_send_event(mhi_cntrl, 0, &event, 0); + return ret; } static int mhi_ep_process_cmd_ring(struct mhi_ep_ring *ring, struct mhi_ring_element *el) -- 2.25.1

2 years

1
1
0 0

FAILED: patch "[PATCH] usb: hub: Guard against accesses to uninitialized BOS" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-4.19.y git checkout FETCH_HEAD git cherry-pick -x f74a7afc224acd5e922c7a2e52244d891bbe44ee # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023101551-crafter-unearth-ec06@gregkh' --subject-prefix 'PATCH 4.19.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f74a7afc224acd5e922c7a2e52244d891bbe44ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo?= <ricardo.canuelo(a)collabora.com> Date: Wed, 30 Aug 2023 12:04:18 +0200 Subject: [PATCH] usb: hub: Guard against accesses to uninitialized BOS descriptors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h access fields inside udev->bos without checking if it was allocated and initialized. If usb_get_bos_descriptor() fails for whatever reason, udev->bos will be NULL and those accesses will result in a crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1> Hardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:hub_port_reset+0x193/0x788 Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9 RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310 RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840 RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0 Call Trace: hub_event+0x73f/0x156e ? hub_activate+0x5b7/0x68f process_one_work+0x1a2/0x487 worker_thread+0x11a/0x288 kthread+0x13a/0x152 ? process_one_work+0x487/0x487 ? kthread_associate_blkcg+0x70/0x70 ret_from_fork+0x1f/0x30 Fall back to a default behavior if the BOS descriptor isn't accessible and skip all the functionalities that depend on it: LPM support checks, Super Speed capabilitiy checks, U1/U2 states setup. Signed-off-by: Ricardo Cañuelo <ricardo.canuelo(a)collabora.com> Cc: stable <stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/20230830100418.1952143-1-ricardo.canuelo@collabor… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 3c54b218301c..0ff47eeffb49 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -151,6 +151,10 @@ int usb_device_supports_lpm(struct usb_device *udev) if (udev->quirks & USB_QUIRK_NO_LPM) return 0; + /* Skip if the device BOS descriptor couldn't be read */ + if (!udev->bos) + return 0; + /* USB 2.1 (and greater) devices indicate LPM support through * their USB 2.0 Extended Capabilities BOS descriptor. */ @@ -327,6 +331,10 @@ static void usb_set_lpm_parameters(struct usb_device *udev) if (!udev->lpm_capable || udev->speed < USB_SPEED_SUPER) return; + /* Skip if the device BOS descriptor couldn't be read */ + if (!udev->bos) + return; + hub = usb_hub_to_struct_hub(udev->parent); /* It doesn't take time to transition the roothub into U0, since it * doesn't have an upstream link. @@ -2704,13 +2712,17 @@ int usb_authorize_device(struct usb_device *usb_dev) static enum usb_ssp_rate get_port_ssp_rate(struct usb_device *hdev, u32 ext_portstatus) { - struct usb_ssp_cap_descriptor *ssp_cap = hdev->bos->ssp_cap; + struct usb_ssp_cap_descriptor *ssp_cap; u32 attr; u8 speed_id; u8 ssac; u8 lanes; int i; + if (!hdev->bos) + goto out; + + ssp_cap = hdev->bos->ssp_cap; if (!ssp_cap) goto out; @@ -4215,8 +4227,15 @@ static void usb_enable_link_state(struct usb_hcd *hcd, struct usb_device *udev, enum usb3_link_state state) { int timeout; - __u8 u1_mel = udev->bos->ss_cap->bU1devExitLat; - __le16 u2_mel = udev->bos->ss_cap->bU2DevExitLat; + __u8 u1_mel; + __le16 u2_mel; + + /* Skip if the device BOS descriptor couldn't be read */ + if (!udev->bos) + return; + + u1_mel = udev->bos->ss_cap->bU1devExitLat; + u2_mel = udev->bos->ss_cap->bU2DevExitLat; /* If the device says it doesn't have *any* exit latency to come out of * U1 or U2, it's probably lying. Assume it doesn't implement that link diff --git a/drivers/usb/core/hub.h b/drivers/usb/core/hub.h index 37897afd1b64..d44dd7f6623e 100644 --- a/drivers/usb/core/hub.h +++ b/drivers/usb/core/hub.h @@ -153,7 +153,7 @@ static inline int hub_is_superspeedplus(struct usb_device *hdev) { return (hdev->descriptor.bDeviceProtocol == USB_HUB_PR_SS && le16_to_cpu(hdev->descriptor.bcdUSB) >= 0x0310 && - hdev->bos->ssp_cap); + hdev->bos && hdev->bos->ssp_cap); } static inline unsigned hub_power_on_good_delay(struct usb_hub *hub)

2 years

2
1
0 0

FAILED: patch "[PATCH] usb: hub: Guard against accesses to uninitialized BOS" failed to apply to 5.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.4.y git checkout FETCH_HEAD git cherry-pick -x f74a7afc224acd5e922c7a2e52244d891bbe44ee # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023101550-bountiful-matriarch-1441@gregkh' --subject-prefix 'PATCH 5.4.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f74a7afc224acd5e922c7a2e52244d891bbe44ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo?= <ricardo.canuelo(a)collabora.com> Date: Wed, 30 Aug 2023 12:04:18 +0200 Subject: [PATCH] usb: hub: Guard against accesses to uninitialized BOS descriptors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h access fields inside udev->bos without checking if it was allocated and initialized. If usb_get_bos_descriptor() fails for whatever reason, udev->bos will be NULL and those accesses will result in a crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1> Hardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:hub_port_reset+0x193/0x788 Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9 RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310 RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840 RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0 Call Trace: hub_event+0x73f/0x156e ? hub_activate+0x5b7/0x68f process_one_work+0x1a2/0x487 worker_thread+0x11a/0x288 kthread+0x13a/0x152 ? process_one_work+0x487/0x487 ? kthread_associate_blkcg+0x70/0x70 ret_from_fork+0x1f/0x30 Fall back to a default behavior if the BOS descriptor isn't accessible and skip all the functionalities that depend on it: LPM support checks, Super Speed capabilitiy checks, U1/U2 states setup. Signed-off-by: Ricardo Cañuelo <ricardo.canuelo(a)collabora.com> Cc: stable <stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/20230830100418.1952143-1-ricardo.canuelo@collabor… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 3c54b218301c..0ff47eeffb49 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -151,6 +151,10 @@ int usb_device_supports_lpm(struct usb_device *udev) if (udev->quirks & USB_QUIRK_NO_LPM) return 0; + /* Skip if the device BOS descriptor couldn't be read */ + if (!udev->bos) + return 0; + /* USB 2.1 (and greater) devices indicate LPM support through * their USB 2.0 Extended Capabilities BOS descriptor. */ @@ -327,6 +331,10 @@ static void usb_set_lpm_parameters(struct usb_device *udev) if (!udev->lpm_capable || udev->speed < USB_SPEED_SUPER) return; + /* Skip if the device BOS descriptor couldn't be read */ + if (!udev->bos) + return; + hub = usb_hub_to_struct_hub(udev->parent); /* It doesn't take time to transition the roothub into U0, since it * doesn't have an upstream link. @@ -2704,13 +2712,17 @@ int usb_authorize_device(struct usb_device *usb_dev) static enum usb_ssp_rate get_port_ssp_rate(struct usb_device *hdev, u32 ext_portstatus) { - struct usb_ssp_cap_descriptor *ssp_cap = hdev->bos->ssp_cap; + struct usb_ssp_cap_descriptor *ssp_cap; u32 attr; u8 speed_id; u8 ssac; u8 lanes; int i; + if (!hdev->bos) + goto out; + + ssp_cap = hdev->bos->ssp_cap; if (!ssp_cap) goto out; @@ -4215,8 +4227,15 @@ static void usb_enable_link_state(struct usb_hcd *hcd, struct usb_device *udev, enum usb3_link_state state) { int timeout; - __u8 u1_mel = udev->bos->ss_cap->bU1devExitLat; - __le16 u2_mel = udev->bos->ss_cap->bU2DevExitLat; + __u8 u1_mel; + __le16 u2_mel; + + /* Skip if the device BOS descriptor couldn't be read */ + if (!udev->bos) + return; + + u1_mel = udev->bos->ss_cap->bU1devExitLat; + u2_mel = udev->bos->ss_cap->bU2DevExitLat; /* If the device says it doesn't have *any* exit latency to come out of * U1 or U2, it's probably lying. Assume it doesn't implement that link diff --git a/drivers/usb/core/hub.h b/drivers/usb/core/hub.h index 37897afd1b64..d44dd7f6623e 100644 --- a/drivers/usb/core/hub.h +++ b/drivers/usb/core/hub.h @@ -153,7 +153,7 @@ static inline int hub_is_superspeedplus(struct usb_device *hdev) { return (hdev->descriptor.bDeviceProtocol == USB_HUB_PR_SS && le16_to_cpu(hdev->descriptor.bcdUSB) >= 0x0310 && - hdev->bos->ssp_cap); + hdev->bos && hdev->bos->ssp_cap); } static inline unsigned hub_power_on_good_delay(struct usb_hub *hub)

2 years

2
1
0 0

FAILED: patch "[PATCH] usb: hub: Guard against accesses to uninitialized BOS" failed to apply to 5.10-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x f74a7afc224acd5e922c7a2e52244d891bbe44ee # <resolve conflicts, build, test, etc.> git commit -s git send-email --to '<stable(a)vger.kernel.org>' --in-reply-to '2023101548-guidable-approach-14ef@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ From f74a7afc224acd5e922c7a2e52244d891bbe44ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo?= <ricardo.canuelo(a)collabora.com> Date: Wed, 30 Aug 2023 12:04:18 +0200 Subject: [PATCH] usb: hub: Guard against accesses to uninitialized BOS descriptors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h access fields inside udev->bos without checking if it was allocated and initialized. If usb_get_bos_descriptor() fails for whatever reason, udev->bos will be NULL and those accesses will result in a crash: BUG: kernel NULL pointer dereference, address: 0000000000000018 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 5 PID: 17818 Comm: kworker/5:1 Tainted: G W 5.15.108-18910-gab0e1cb584e1 #1 <HASH:1f9e 1> Hardware name: Google Kindred/Kindred, BIOS Google_Kindred.12672.413.0 02/03/2021 Workqueue: usb_hub_wq hub_event RIP: 0010:hub_port_reset+0x193/0x788 Code: 89 f7 e8 20 f7 15 00 48 8b 43 08 80 b8 96 03 00 00 03 75 36 0f b7 88 92 03 00 00 81 f9 10 03 00 00 72 27 48 8b 80 a8 03 00 00 <48> 83 78 18 00 74 19 48 89 df 48 8b 75 b0 ba 02 00 00 00 4c 89 e9 RSP: 0018:ffffab740c53fcf8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffa1bc5f678000 RCX: 0000000000000310 RDX: fffffffffffffdff RSI: 0000000000000286 RDI: ffffa1be9655b840 RBP: ffffab740c53fd70 R08: 00001b7d5edaa20c R09: ffffffffb005e060 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 R13: ffffab740c53fd3e R14: 0000000000000032 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffa1be96540000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000022e80c005 CR4: 00000000003706e0 Call Trace: hub_event+0x73f/0x156e ? hub_activate+0x5b7/0x68f process_one_work+0x1a2/0x487 worker_thread+0x11a/0x288 kthread+0x13a/0x152 ? process_one_work+0x487/0x487 ? kthread_associate_blkcg+0x70/0x70 ret_from_fork+0x1f/0x30 Fall back to a default behavior if the BOS descriptor isn't accessible and skip all the functionalities that depend on it: LPM support checks, Super Speed capabilitiy checks, U1/U2 states setup. Signed-off-by: Ricardo Cañuelo <ricardo.canuelo(a)collabora.com> Cc: stable <stable(a)vger.kernel.org> Link: https://lore.kernel.org/r/20230830100418.1952143-1-ricardo.canuelo@collabor… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index 3c54b218301c..0ff47eeffb49 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -151,6 +151,10 @@ int usb_device_supports_lpm(struct usb_device *udev) if (udev->quirks & USB_QUIRK_NO_LPM) return 0; + /* Skip if the device BOS descriptor couldn't be read */ + if (!udev->bos) + return 0; + /* USB 2.1 (and greater) devices indicate LPM support through * their USB 2.0 Extended Capabilities BOS descriptor. */ @@ -327,6 +331,10 @@ static void usb_set_lpm_parameters(struct usb_device *udev) if (!udev->lpm_capable || udev->speed < USB_SPEED_SUPER) return; + /* Skip if the device BOS descriptor couldn't be read */ + if (!udev->bos) + return; + hub = usb_hub_to_struct_hub(udev->parent); /* It doesn't take time to transition the roothub into U0, since it * doesn't have an upstream link. @@ -2704,13 +2712,17 @@ int usb_authorize_device(struct usb_device *usb_dev) static enum usb_ssp_rate get_port_ssp_rate(struct usb_device *hdev, u32 ext_portstatus) { - struct usb_ssp_cap_descriptor *ssp_cap = hdev->bos->ssp_cap; + struct usb_ssp_cap_descriptor *ssp_cap; u32 attr; u8 speed_id; u8 ssac; u8 lanes; int i; + if (!hdev->bos) + goto out; + + ssp_cap = hdev->bos->ssp_cap; if (!ssp_cap) goto out; @@ -4215,8 +4227,15 @@ static void usb_enable_link_state(struct usb_hcd *hcd, struct usb_device *udev, enum usb3_link_state state) { int timeout; - __u8 u1_mel = udev->bos->ss_cap->bU1devExitLat; - __le16 u2_mel = udev->bos->ss_cap->bU2DevExitLat; + __u8 u1_mel; + __le16 u2_mel; + + /* Skip if the device BOS descriptor couldn't be read */ + if (!udev->bos) + return; + + u1_mel = udev->bos->ss_cap->bU1devExitLat; + u2_mel = udev->bos->ss_cap->bU2DevExitLat; /* If the device says it doesn't have *any* exit latency to come out of * U1 or U2, it's probably lying. Assume it doesn't implement that link diff --git a/drivers/usb/core/hub.h b/drivers/usb/core/hub.h index 37897afd1b64..d44dd7f6623e 100644 --- a/drivers/usb/core/hub.h +++ b/drivers/usb/core/hub.h @@ -153,7 +153,7 @@ static inline int hub_is_superspeedplus(struct usb_device *hdev) { return (hdev->descriptor.bDeviceProtocol == USB_HUB_PR_SS && le16_to_cpu(hdev->descriptor.bcdUSB) >= 0x0310 && - hdev->bos->ssp_cap); + hdev->bos && hdev->bos->ssp_cap); } static inline unsigned hub_power_on_good_delay(struct usb_hub *hub)

2 years

2
1
0 0

[PATCH net-next] nfc: nci: fix possible NULL pointer dereference in send_acknowledge()

by Krzysztof Kozlowski

Handle memory allocation failure from nci_skb_alloc() (calling alloc_skb()) to avoid possible NULL pointer dereference. Reported-by: 黄思聪 <huangsicong(a)iie.ac.cn> Fixes: 391d8a2da787 ("NFC: Add NCI over SPI receive") Cc: <stable(a)vger.kernel.org> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org> --- net/nfc/nci/spi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/nfc/nci/spi.c b/net/nfc/nci/spi.c index 0935527d1d12..b68150c971d0 100644 --- a/net/nfc/nci/spi.c +++ b/net/nfc/nci/spi.c @@ -151,6 +151,8 @@ static int send_acknowledge(struct nci_spi *nspi, u8 acknowledge) int ret; skb = nci_skb_alloc(nspi->ndev, 0, GFP_KERNEL); + if (!skb) + return -ENOMEM; /* add the NCI SPI header to the start of the buffer */ hdr = skb_push(skb, NCI_SPI_HDR_LEN); -- 2.34.1

2 years

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror October 2023